<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><em style="background-color: transparent; color: inherit; font-size: inherit;"><img src="http://info.threatstop.com/hubfs/ransomware-illustration.jpg" alt="ransomware-illustration.jpg" width="454" height="454"></em></p> <p><em style="background-color: transparent; color: inherit; font-size: inherit;">Malicious Content Identified and Inserted:</em></p> <ul> <li>IPs – 609</li> <li>Domains – 1381<!--more--></li> </ul> <p><em>Target List Content Updated:</em></p> <ul> <li>TSCritical</li> <li>TSRansomware</li> <li>TSPhishing</li> <li>TSBanking</li> <li>TSInbound –<em> NEW!</em></li> </ul> <p><em>Indicators of compromise have been updated for the following:</em></p> <p><em>(For a deeper dive into the research behind a threat or campaign, click on the links in each description)</em></p> <ul> <li>IOCs that were involved in <strong>suspicious scanning activities</strong> on domains and hosts.</li> <li>IOCs that were involved in <a href="https://dochub.threatstop.com/display/TS/M#M-_malspam"><strong>Malspam</strong></a></li> <li>IOCs that were involved in <strong>phishing</strong>.</li> <li>IOCs that are related to the <strong>DucoSign</strong> <strong>breach</strong>, where phishing emails were utilized to spread malware sent to the Docosign customers’ corporate e-mail addresses.</li> <li><strong>WannaCry</strong> is a Ransomware that spread wildly in a short amount of time, detected at May 2017. It infected over 100K victims in over 99 countries, utilizing the MS17-010 Vulnerability in SMBv1 server, also named <strong>EternalBlue</strong>. This Ransomware has infected large financial and governmental entities. For more information, visit our blog <a href="https://blog.threatstop.com/this-past-weekend-made-all-of-us-wannacry">here</a>.</li> <li><strong>Jaff</strong> Ransomware was found <a href="http://www.malware-traffic-analysis.net/2017/05/22/index.html">distributed</a> via Malspam from the <strong>Necurs</strong> These SPAM <a href="https://isc.sans.edu/forums/diary/Jaff+ransomware+gets+a+makeover/22446/">emails</a> will have subjects like “Scan_84686473.” As of May 2017, <a href="http://www.malware-traffic-analysis.net/2017/05/16/index.html">it was determined</a> that the <strong>Jaff Ransomware</strong> is not decryptable.</li> <li><strong>WildFire</strong> <strong>Locker</strong> is a new Ransomware that uses AES-256 CBC encryption on the user's files and asks for $299 from the victim, threatening to raise the price to $999 if they do not pay within a week. This Ransomware infects victims through a malicious word document containing embedded macros.</li> <li><strong>Emotet</strong> was firstly noticed in June 2014 by Trend Micro. This is a banking <a href="https://www.cert.pl/en/news/single/analysis-of-emotet-v4/">Trojan</a> where the victims’ bank accounts were infiltrated by a web browser infection which intercept communication between webpage and bank servers. In such scenario, malware hooks specific routines to sniff network activity and steal information. This technique is typical for modern banking malware and is widely known as Man-in-the-Browser attack.</li> <li><strong>MoneyTaker</strong>, AKA <strong>Fin7</strong>, is a Russian speaking cyber-crime group known to be responsible for conducting targeted attacks on financial institutions, globally. The main objective of this group is to ultimately gain access to critical systems such as SWIFT payment systems, ATM systems, Card Processing systems, Banking Software, POS Software and sensitive documents from the organization to carry out other fraud schemes. One of their latest campaign was found by FireEye on February 2017, targeting cyber security entities in the USA.</li> <li><strong>Mirai</strong>, a Linux malware targeting IoT systems, is mainly used for DDoS attacks. This malware is distributed by identifying vulnerable devices using a table of common factory default usernames and passwords, subsequently logging in and infecting them. This botnet was used in the recent DDoS attacks against computer security journalist Brian Krebs' web site, as well as in the October 2016 Dyn cyber-attack. You can read more in our blog, <a href="https://blog.threatstop.com/2016/11/08/mirai-dont-be-one-of-the-millions/">here</a>.</li> <li><strong>Hancitor</strong>, also known as <strong>Tordal</strong> and <strong>Chanitor</strong>, is a <a href="http://www.malware-traffic-analysis.net/2017/05/25/index.html">malware</a> downloader known for spreading the Pony <a href="https://techhelplist.com/spam-list/1143-2017-05-25-fake-google-docs-email-claims-the-recipient-domain-sent-you-a-document-malware">and <strong>Vawtrak</strong> Trojans</a>,among others. <strong>Hancitor</strong> has recently re-appeared in malware <a href="http://www.malware-traffic-analysis.net/2017/05/16/index2.html">campaigns</a> after disappearing in 2015.</li> <li><strong>Mole</strong> <strong>Ransomware</strong> is part of the <strong>CryptoMix</strong> malware family. This malware is distributed through Malspam, primarily seen in USPS fake <a href="http://www.malware-traffic-analysis.net/2017/04/26/index.html">invoices</a> dated April Read more about Mole Ransomware in our blog post <a href="https://blog.threatstop.com/the-agile-mole">here</a>.</li> <li><strong>BankBot</strong> is a malware targeting android OS, appearing in Google Play in different forms, often impersonating well-known application icons or names. The predecessor of this malware, <strong>BankBotAlpha,</strong> was first <a href="http://blog.fortinet.com/2017/04/26/bankbot-the-prequel">advertised</a> on December 19, 2016, on a Russian forum as a new initiative to build an Android banker from scratch. This malware achieves device admin privileges from the user and collects information like IMEI, Bank applications present on the device, OS version, presence of root, etc. The communicates to the C&amp;C are by SMS and over HTTP protocol.</li> <li><strong>Msposer</strong> is a generic name given to a family of Trojans that pretend to be <a href="https://www.microsoft.com/en-us/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Msposer.C">legitimate Microsoft products</a>. This type of malware may be spread by "crackers" used to run software without a valid license.</li> <li><strong>Zyklon</strong> <strong>HTTP</strong> <strong>bot</strong> is a botnet allowing <a href="http://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html">users</a> to execute various types of DDoS attacks, data theft and fraud. It also features secure operation mechanisms to detect other malware and assure its availability and supports Tor for anonymization and comes loaded with a number of additional features. <strong>Zyklon</strong> <strong>HTTP</strong> <strong>Botnet</strong> targets PCs and spreads itself via a number of different methods including phishing attacks. The bot is reasonably well written with precautions for hiding the traffic from network based detection engines, even from intercepting proxies by encrypting all its communications.</li> <li><strong>StreamEx</strong> is a Trojan that can perform system enumeration, modify files, and execute remote commands. It was not only used by APT group <strong><a href="https://attack.mitre.org/wiki/Software/S0142">Shell Crew</a></strong> in targeted attacks, but also spread through compromised Korean websites.</li> <li><strong>Winnti</strong> <strong>group</strong>, a cybercriminal group most likely originating from China active since 2011, with a past of traditional cybercrime - particularly with financial fraud and also against online video game industry, has been seen abusing GitHub by turning it into a conduit for the command and control. Upon successful infection, the malware starts communicating with an HTML page from a repository stored in a GitHub project. <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/">TrendMicro</a> research claims the repository was opened for this purpose and was not compromised. Alongside with the malware attributed to this group, they use also <strong>PlugX</strong> <strong>RAT</strong>.</li> <li><strong>Reblight</strong> is a <a href="https://www.symantec.com/security_response/writeup.jsp?docid=2017-050902-5448-99">malware found by Symantec</a>, and has capabilities of Downloading files, uploading files and installing browser extensions.</li> <li><strong>Styes</strong> is a worm <a href="https://www.symantec.com/security_response/writeup.jsp?docid=2017-052413-5239-99">detected by Symantec</a>, capable of self-spreading through shared files and removable drivers.</li> <li><strong>Qbot</strong> is Linux malware, <a href="https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html">targeting IoT systems that</a> spreads through methods of brute forcing over telnet platform (port 23). In one of the earliest reports by Level 3 researchers, after the attackers gain access to the device, it establishes a shell command to download other malicious binaries on the infected system. This bot has been found to be used for DDoS activity.</li> <li><strong>RoughTed</strong> is a large malvertising operation that has been active for a year, but was seen in increased activity on March 2017. This <a href="https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/">malvertising</a> campaign is diverse and able to target any user of any operating system or browser, for each platform there is a distinct payload, including: exploit kits like <strong>magnitude</strong> and <strong>Rig</strong> EK, Rogue Chrome extensions and PUP for windows etc.</li> <li><strong style="background-color: transparent; color: inherit; font-size: inherit;">Nemucod</strong><span style="background-color: transparent; color: inherit; font-size: inherit;"> is a JavaScript downloader Trojan that targets users through Malspam campaigns. </span><strong style="background-color: transparent; color: inherit; font-size: inherit;">Nemucod</strong><span style="background-color: transparent; color: inherit; font-size: inherit;"> downloads and executes additional </span><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-practice-makes-perfect-nemucod-evolves-delivery-obfuscation-techniques-harvest-credentials/" style="background-color: transparent; font-size: inherit;">malware</a><span style="background-color: transparent; color: inherit; font-size: inherit;"> without the user’s consent. </span><strong style="background-color: transparent; color: inherit; font-size: inherit;">Nemucod</strong><span style="background-color: transparent; color: inherit; font-size: inherit;"> usually arrives on an infected machine through malicious spam emails with .zip extensions. Recently, there has been a rise in cases of </span><strong style="background-color: transparent; color: inherit; font-size: inherit;">Nemucod</strong><span style="background-color: transparent; color: inherit; font-size: inherit;"> distributing ransomware. Read more </span><a href="https://blog.threatstop.com/nemucod-spreads-through-facebook-messages" style="background-color: transparent; font-size: inherit;">here</a><span style="background-color: transparent; color: inherit; font-size: inherit;">.&nbsp;</span></li> </ul> <p><em>&nbsp;</em><em style="background-color: transparent; color: inherit; font-size: inherit;">Security Blog Roundup:</em></p> <ul> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/sambacry-vulnerability-announced-patches-released" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5158196412.$name.0.0.0.0.0">SambaCry Vulnerability Announced, Patches Released</a></li> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/oilrig-another-attack-wave-hits" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5122935499.$name.0.0.0.0.0">OilRig: Another Attack Wave Hits</a></li> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/under-the-hood" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5173487628.$name.0.0.0.0.0">Under the Hood: How ThreatSTOP Protects Against WannaCry</a></li> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/m3aawg-wannacry" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5192341924.$name.0.0.0.0.0">Irena Damsky Speaking About WannaCry at M3AAWG's 40th General Meeting</a></li> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/the-agile-mole" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5170396649.$name.0.0.0.0.0">The Agile Mole</a></li> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/darktrack-on-track-to-success" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5195273492.$name.0.0.0.0.0">Darktrack on Track to Success</a></li> <li><a class="manage-flex-grid-name" href="https://blog.threatstop.com/adding-new-cybercrime-trackers" data-reactid=".0.0.0.2.1.0.0.0.0.1.1.$5195089279.$name.0.0.0.0.0">New Botnet Targets and More</a></li> </ul></span>
